May the fourth be with you…
Get comfortable, put on your headphones or turn up your speaker volume, and enjoy this guitar rendition of the Ewok Celebration, commonly known as Yub Nub while catching up on Metasploit updates for the week.
Xdebug is an extension for PHP to facilitate development by providing interactive debugging capabilities and much more. On an engagement, one might discover development and staging systems with the extension deployed, and if one is really lucky production systems with the module haphazardly deployed. Single step debugging through someone else’s code doesn’t sound like as much fun as a command shell in this situation! Ricter Zheng discovered and posted a brief writeup about a remote code execution vulnerability in Xdebug. Shaksham Jaiswal (MinatoTW) used the information to create the exploits/unix/http/xdebug_unauth_exec module that exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below, allowing the attacker to execute arbitrary PHP code in the context of the web user.
She Sells Sea Shells
You or someone you know may have purchased items, perhaps more Star Wars paraphernalia today, from an online shop that is hosted using the osCommerce Online Merchant software package, a common e-commerce frontend and administration backend developed in PHP. Simon Scannell recently discovered a remote code execution vulnerability in osCommerce version 18.104.22.168 and Daniel Teixeira (DanielRTeixeira) delivered yet again by converting that work into a module. If an administrator failed to cleanup after the osCommerce installation, an unauthenticated adversary could reinstall the software from the
/install/ directory, creating the configuration file for the installation and thus allowing the adversary to inject PHP into the configuration file. All it takes after that is a simple request to get code execution. Sally might be selling sea shells, but Mallory is flipping PHP shells because she updated to the latest Metasploit Framework.
Chris opened #9939 that adds the ability to automatically run remote data service tests. This allows us to ensure proper execution from the client API through to the remote data service is tested via RSpec. In addition, each of the API endpoints is being documented using the OpenAPI specification Version 2.0 to facilitate use of the API. A pull request for those changes should be opened soon.
Exploit modules (4 new)
- Metasploit msfd Remote Code Execution via Browser by Robin Stenvi
- osCommerce Installer Unauthenticated Code Execution by Daniel Teixeira and Simon Scannell
- Metasploit msfd Remote Code Execution by Robin Stenvi
- xdebug Unauthenticated OS Command Execution by Mumbai, Ricter Zheng, and Shaksham Jaiswal
- Add search command CSV output option - adds an option to output the results of the search command to a CSV file
- bump payloads, ipv6 channel fixes - improves the Linux, OSX and Python Meterpreter payloads to properly support IPv6 addresses with network channels, as well as fixing issues with UDP channels in Python meterpreter.
- enable autofilter on tp-link camera exploit - fix disables auto exploitation with the exploits/linux/http/tp_link_sc2020n_authenticated_telnet_injection module due to false positives caused by basic credential authentication on targets that are not cameras.
- cleanup psexec code - consolidated common functionality of psexec modules into the smb/client/psexec mixin.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.